Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Transcription

1 Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization s internal net from larger, owing some packets to pass, blocking others. privately administered 2 1

2 Firew goals: All traffic from outside to inside and vice-versa passes through the firew Only authorized traffic, as defined by local security policy, will be owed to pass Firew itself is immune to penetration 3 Firews: taxonomy 1. Traditional packet filters Filters often combined with router, creating a firew 2. Stateful filters 3. Application gateways Major firew vendors: Checkpoint Cisco PIX 4 2

3 Firew Firew == system that filters TCP/IP UDP/IP packets according to rules Either software on user machine or network router Rules Firew (Global IP addresses) router Rules 6 3

4 Traditional packet filters Analyzes each datagram going through it; makes drop decision based on: Source IP address Destination IP address Source port Destination port TCP flag bits SYN bit set: datagram for connection initiation ACK bit set: part of established connection TCP or UDP or ICMP Firews often configured to block UDP Direction Is datagram leaving or entering internal network? Router interface Decisions can be different for different interfaces 7 Filtering rules - examples Policy No outside Web access. Outside connections to public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted Firew Setting Drop outgoing packets to any IP address, port 80 Drop incoming TCP SYN packets to any IP except , port 80 Drop incoming UDP packets - except DNS and router broadcasts. Drop ICMP packets going to a broadcast address (e.g ). Drop outgoing ICMP unreachables 8 4

5 Access control lists Apply rules from top to bottom: action source address dest address proto source port dest port flag bit ow outside of TCP > any ow outside of TCP 80 > 1023 ACK ow outside of UDP > ow outside of UDP 53 > deny 9 Access control lists Each router/firew interface can have its own ACL Most firew vendors provide both command-line and graphical configuration interface 10 5

6 Traditional packet filters Advantages One screening router can protect entire network Can be efficient if filtering rules are kept simple Widely available. Almost any router, even Linux boxes Disadvantages Can be penetrated Cannot enforce some policies. For example, permit certain users. Rules can get complicated and difficult to test 11 Network or host firew Network firew: Network firew protected network Host firew: host with firew 12 6

7 Example: iptables chain types Linux host w/ iptables protected network INPUT chain (to iptables host) Linux host w/ iptables protected network OUTPUT chain (from iptables host) Linux host w/ iptables protected network FORWARD chain 13 iptables: example command iptables A INPUT i eth0 s /24 j ACCEPT Sets a rule Accepts packets that enter from interface eth0 with source address in /24 Kernel applies rules in order First matching rule determines action for packet Append: -A Adds rule to bottom of existing rules 14 7

8 Stateful filters Stateless filters: any packet with ACK=1 and source port 80 gets through Attack with malformed packets: send ACK=1 segments Stateful filter: adds more intelligence to decision-making process Stateful = remember past packets Needs very dynamic state table 15 Stateful filters: example Log each TCP conn initiated through firew: SYN segment Timeout entries without activity after, e.g., 60 seconds source address dest address source port dest port Rule table indicates check of stateful table: see if there is a connection entry in stateful table Stateful filters can remember outgoing UDP segments 16 8

9 Stateful example 1) Pkt arrives from outside: src= , src port=80, dst= , dst port=12699, SYN=0, ACK=1 2) Check filter table check stateful table action source address dest address proto source port dest port flag bit check conn ow outside of TCP > any ow outside of TCP 80 > 1023 ACK x ow outside of UDP > ow outside of UDP 53 > x deny 3) Connection is in connection table let packet through 17 Application gateways (aka proxy servers) App gateway between user (inside) and server (outside) User and server talk through proxy Allows fine grained/ sophisticated control Hinders protocol attacks E.g.: ftp server may not ow files >= size X gateway-to-remote host ftp session host-to-gateway ftp session application gateway 18 9

10 Mail servers and proxy Web servers Local mail server is application gateway Virus detection and removal So is Web proxy cache E.g.: virus detection and removal 19 Proxy gateways Advantages Can log connections, activity in connections Can provide caching Can do intelligent filtering based on content Simplifies service control Can perform user level authentication Simplifies firew rules Disadvantages Not services have proxied versions Need different proxy server for each service Requires modification of client Performance Hinders end-to-end encryption 20 10

11 Demilitarized Zone (DMZ) application gateway firew Internal network Web server FTP server DNS server Demilitarized zone Used for: gateways and public services Advantage: hacked server limited damage 21 IP traceback Problem: How do we determine where malicious packet came from? Why? Attackers can spoof source IP address Benefits: Determine attacker Determine zombie machine participating in DDoS attack Alternative: use ingress filtering 22 11

12 Methods for finding source Manual using current IP routing Link testing: how? Start from victim and test upstream links Recursively repeat until source is located Assume attack remains active until trace complete Link testing: problem Handle ISPs Located zombie Logging Automatic using marking algorithms 23 Logging: Key routers log packets (useful for forensics) Use data mining to find path Pros Post mortem works after attack stops Cons High resource demand: need to store and process tons of data 24 12

13 Marking algorithms Mark packets with router addresses Deterministicy or probabilisticy Trace attack using marked packets Strengths Independent of ISP management Little network overhead, traffic Trace distributed attacks, attacks post-mortem 25 Marking: assumptions Most routers remain uncompromised Attacker sends many packets Route from attacker to victim remains relatively stable A 1 A 2 A 3 A 4 A 5 R 6 R 7 R 8 R 9 R 10 R 12 V 26 13

14 Marking: summary Can determine attack path with a relatively sm number of attack packets Need to include addresses, counter in IP datagram (e.g., via fragment fields) E.g.: Practical Network Support for IP Traceback by Savage et al. Status: Lots of RFCs But not?yet? deployed 27 Network address translation (NAT) Also known as Network masquerading IP masquerading Re-writes source and/or destination address as they pass through NAT gateway Why IPv4 address shortage Standard feature Some believe it enhances: privacy, security 14

15 Simple NAT (Public IP addresses) Main NAT (Private IP addresses) (Public IP addresses) 29 Multiple NAT Main (Public IP addresses) Home NAT ISP NAT Home network ISP network (Private IP addresses)

16 NAT traversal: relay Relay S 2 Main 1 NAT NAT Local network Local network host B host A 31 NAT traversal: connection reversal rendezvous S 1 Main 2 NAT Local network host B host A 32 16

17 TURN protocol Protocol for UDP/TCP relaying behind NAT Data is bounced to a public TURN server No hole punching TURN works even behind symmetric NAT 33 Hole punching Technique to ow traffic from/to a host behind a firew/nat without collaboration of the NAT itself UDP: simple TCP: Berkeley sockets ows TCP socket to initiate an outgoing or listen for an incoming connections but not both Solution: bind multiple sockets to same local endpoint 17

18 STUN (RFC 3489) Defines operations and message formats to understand type of NAT Discovers presence and type of NAT and firews between them and Allows applications to determine their public NAT IP address 35 STUNT Simple Traversal of UDP Through NATs and TCP too (STUNT) Extends STUN to include TCP functionality 36 18

19 NAT traversal: cooperating NAT SOCKS Client server protocol Enables client (behind firew) to use server (in public ) Relays traffic Widely adopted, E.g.: Mozilla can use SOCKS SOCKS CONNECT server S 2. connect() Socks proxy 1. CONNECT NAT host A 38 19

20 SOCKS BIND server S 3. connect(33102) Socks proxy 2. Ok. Port= BIND (localport=4445, S) NAT host A listening on NAT traversal: UPnP Defines: Gateway Device (IGD) protocol Enables: Learning of ones public (external) IP address Enumeration of existing port mappings Adding and removing port mappings Assigning lease times to mappings Applications to automaticy configure NAT routing 40 20